From acdeb162b8c2e7d036c34690de85dea70277713d Mon Sep 17 00:00:00 2001 From: Claire Date: Tue, 9 Feb 2021 18:12:54 +0100 Subject: Create instance actor if it hasn't been properly seeded (#15693) An uncommon but somewhat difficult to digagnose issue is dealing with improperly-seeded databases. In such cases, instance-signed fetches will fail with a ActiveRecord::RecordNotFound error, usually caught and handled as generic 404, leading people to think the remote resource itself has not been found, while it's the local instance actor that does not exist. This commit changes the code so that failure to find the instance actor automatically creates a new one, so that improperly-seeded databases do not cause any issue. --- app/controllers/instance_actors_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/instance_actors_controller.rb b/app/controllers/instance_actors_controller.rb index 4b074ca19..b3b5476e2 100644 --- a/app/controllers/instance_actors_controller.rb +++ b/app/controllers/instance_actors_controller.rb @@ -13,7 +13,7 @@ class InstanceActorsController < ApplicationController private def set_account - @account = Account.find(-99) + @account = Account.representative end def restrict_fields_to -- cgit From e79f8dd85cb63125185fdf711f470c298a0b5dbc Mon Sep 17 00:00:00 2001 From: Cecylia Bocovich Date: Wed, 10 Feb 2021 22:40:13 -0500 Subject: Onion service related changes to HTTPS handling (#15560) * Enable secure cookie flag for https only * Disable force_ssl for .onion hosts only Co-authored-by: Aiden McClelland --- Gemfile | 2 ++ Gemfile.lock | 4 ++++ app/controllers/application_controller.rb | 2 +- app/lib/webfinger.rb | 12 ++++++++++-- config/initializers/devise.rb | 6 ------ config/initializers/makara.rb | 1 - config/initializers/secureheaders.rb | 10 ++++++++++ config/initializers/session_store.rb | 1 - 8 files changed, 27 insertions(+), 11 deletions(-) create mode 100644 config/initializers/secureheaders.rb (limited to 'app/controllers') diff --git a/Gemfile b/Gemfile index 78cb44168..8d8542f83 100644 --- a/Gemfile +++ b/Gemfile @@ -161,3 +161,5 @@ gem 'connection_pool', require: false gem 'xorcist', '~> 1.1' gem 'pluck_each', '~> 0.1.3' + +gem 'secure_headers', '~> 3.5' diff --git a/Gemfile.lock b/Gemfile.lock index bd32f72a7..4237d6bba 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -571,6 +571,8 @@ GEM scenic (1.5.4) activerecord (>= 4.0.0) railties (>= 4.0.0) + secure_headers (3.9.0) + useragent securecompare (1.0.0) semantic_range (2.3.0) sidekiq (6.1.3) @@ -652,6 +654,7 @@ GEM unf_ext (0.0.7.7) unicode-display_width (1.7.0) uniform_notifier (1.13.2) + useragent (0.16.10) warden (1.2.9) rack (>= 2.0.9) webauthn (3.0.0.alpha1) @@ -795,6 +798,7 @@ DEPENDENCIES ruby-progressbar (~> 1.11) sanitize (~> 5.2) scenic (~> 1.5) + secure_headers (~> 3.5) sidekiq (~> 6.1) sidekiq-bulk (~> 0.2.0) sidekiq-scheduler (~> 3.0) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 44616d6e5..c9311c1b6 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -43,7 +43,7 @@ class ApplicationController < ActionController::Base private def https_enabled? - Rails.env.production? && !request.path.start_with?('/health') + Rails.env.production? && !request.path.start_with?('/health') && !request.headers["Host"].ends_with?(".onion") end def authorized_fetch_mode? diff --git a/app/lib/webfinger.rb b/app/lib/webfinger.rb index 702365939..40795a7aa 100644 --- a/app/lib/webfinger.rb +++ b/app/lib/webfinger.rb @@ -88,10 +88,18 @@ class Webfinger end def standard_url - "https://#{@domain}/.well-known/webfinger?resource=#{@uri}" + if @domain.ends_with? ".onion" + "http://#{@domain}/.well-known/webfinger?resource=#{@uri}" + else + "https://#{@domain}/.well-known/webfinger?resource=#{@uri}" + end end def host_meta_url - "https://#{@domain}/.well-known/host-meta" + if @domain.ends_with? ".onion" + "http://#{@domain}/.well-known/host-meta" + else + "https://#{@domain}/.well-known/host-meta" + end end end diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index ef612e177..d3757b0d3 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -9,7 +9,6 @@ Warden::Manager.after_set_user except: :fetch do |user, warden| value: session_id, expires: 1.year.from_now, httponly: true, - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } end @@ -20,7 +19,6 @@ Warden::Manager.after_fetch do |user, warden| value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'], expires: 1.year.from_now, httponly: true, - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } else @@ -229,10 +227,6 @@ Devise.setup do |config| # If true, extends the user's remember period when remembered via cookie. # config.extend_remember_period = false - # Options to be passed to the created cookie. For instance, you can set - # secure: true in order to force SSL only cookies. - config.rememberable_options = { secure: true } - # ==> Configuration for :validatable # Range for password length. config.password_length = 8..72 diff --git a/config/initializers/makara.rb b/config/initializers/makara.rb index dc88fa63c..afd29eda8 100644 --- a/config/initializers/makara.rb +++ b/config/initializers/makara.rb @@ -1,2 +1 @@ Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax -Makara::Cookie::DEFAULT_OPTIONS[:secure] = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true' diff --git a/config/initializers/secureheaders.rb b/config/initializers/secureheaders.rb new file mode 100644 index 000000000..6c8ac7fbe --- /dev/null +++ b/config/initializers/secureheaders.rb @@ -0,0 +1,10 @@ +SecureHeaders::Configuration.default do |config| + config.cookies = { + secure: true, + httponly: true, + samesite: { + lax: true + } + } + config.csp = SecureHeaders::OPT_OUT +end diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index e5d1be4c6..7e3471ac4 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -2,6 +2,5 @@ Rails.application.config.session_store :cookie_store, { key: '_mastodon_session', - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } -- cgit From 15ced8728ff89932e3f8febf119f63c78ac9a960 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Fri, 12 Feb 2021 07:19:15 +0100 Subject: Refactor Api::Web::SettingsController (#15717) --- app/controllers/api/web/settings_controller.rb | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/api/web/settings_controller.rb b/app/controllers/api/web/settings_controller.rb index 3d65e46ed..601e25e6e 100644 --- a/app/controllers/api/web/settings_controller.rb +++ b/app/controllers/api/web/settings_controller.rb @@ -2,17 +2,16 @@ class Api::Web::SettingsController < Api::Web::BaseController before_action :require_user! + before_action :set_setting def update - setting.data = params[:data] - setting.save! - + @setting.update!(data: params[:data]) render_empty end private - def setting - @_setting ||= ::Web::Setting.where(user: current_user).first_or_initialize(user: current_user) + def set_setting + @setting = ::Web::Setting.where(user: current_user).first_or_initialize(user: current_user) end end -- cgit